Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/netbsd-6-0]: src Pull up revisions:



details:   https://anonhg.NetBSD.org/src/rev/8a859bb6f336
branches:  netbsd-6-0
changeset: 774824:8a859bb6f336
user:      jdc <jdc%NetBSD.org@localhost>
date:      Mon Jul 08 07:40:34 2013 +0000

description:
Pull up revisions:
  src/share/man/man7/sysctl.7 revision 1.73 via patch
  src/sys/netinet6/icmp6.c revision 1.161 via patch
  src/sys/netinet6/in6.c revision 1.161 via patch
  src/sys/netinet6/in6_proto.c revision 1.97 via patch
  src/sys/netinet6/in6_var.h revision 1.65 via patch
  src/sys/netinet6/ip6_input.c revision 1.139 via patch
  src/sys/netinet6/ip6_var.h revision 1.59 via patch
  src/sys/netinet6/nd6.c revision 1.143 via patch
  src/sys/netinet6/nd6.h revision 1.57 via patch
  src/sys/netinet6/nd6_rtr.c revision 1.83 via patch
(requested by christos in ticket #905).
Patch by Loganaden Velvindron.

  4 new sysctls to avoid ipv6 DoS attacks from OpenBSD

diffstat:

 share/man/man7/sysctl.7  |  24 +++++++++++++-
 sys/netinet6/icmp6.c     |   6 ++-
 sys/netinet6/in6.c       |   6 ++-
 sys/netinet6/in6_proto.c |   8 +++-
 sys/netinet6/in6_var.h   |   4 +-
 sys/netinet6/ip6_input.c |  36 ++++++++++++++++++++-
 sys/netinet6/ip6_var.h   |   6 +++-
 sys/netinet6/nd6.c       |  54 ++++++++++++++++++++++++++++++-
 sys/netinet6/nd6.h       |   5 ++-
 sys/netinet6/nd6_rtr.c   |  79 +++++++++++++++++++++++++++++++++++++++++++++--
 10 files changed, 208 insertions(+), 20 deletions(-)

diffs (truncated from 524 to 300 lines):

diff -r 11c0172309c6 -r 8a859bb6f336 share/man/man7/sysctl.7
--- a/share/man/man7/sysctl.7   Thu Jun 27 01:27:56 2013 +0000
+++ b/share/man/man7/sysctl.7   Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: sysctl.7,v 1.68 2011/11/03 00:29:00 jym Exp $
+.\"    $NetBSD: sysctl.7,v 1.68.6.1 2013/07/08 07:40:34 jdc Exp $
 .\"
 .\" Copyright (c) 1993
 .\"    The Regents of the University of California.  All rights reserved.
@@ -29,7 +29,7 @@
 .\"
 .\"    @(#)sysctl.3    8.4 (Berkeley) 5/9/95
 .\"
-.Dd September 24, 2011
+.Dd June 22, 2012
 .Dt SYSCTL 7
 .Os
 .Sh NAME
@@ -1212,8 +1212,12 @@
 .It ip hostzerobroadcast       integer yes
 .It ip lowportmin      integer yes
 .It ip lowportmax      integer yes
+.It ip6        maxdynroutes    integer yes
+.It ip6        maxifprefixes   integer yes
+.It ip6        maxifdefrouters integer yes
 .It ip maxflows        integer yes
 .It ip maxfragpackets  integer yes
+.It ip6        neighborgcthresh        integer yes
 .It ip mtudisc integer yes
 .It ip mtudisctimeout  integer yes
 .It ip random_id       integer yes
@@ -1687,6 +1691,18 @@
 This cannot be set to less than 0 or greater than 1024, and must
 be smaller than
 .Li ip6.lowportmax .
+.It Li ip6.maxdynroutes
+Maximum number of routes created by redirect.
+Set it to negative to disable.
+The default value is 4096.
+.It Li ip6.maxifprefixes
+Maximum number of prefixes created by route advertisements per interface.
+Set it to negative to disable.
+The default value is 16.
+.It Li ip6.maxifdefrouters 16
+Maximum number of default routers created by route advertisements per interface.
+Set it to negative to disable.
+The default value is 16.
 .It Li ip6.maxflows
 IPv6 Fast Forwarding is enabled by default.
 If set to 0, IPv6 Fast Forwarding is disabled.
@@ -1703,6 +1719,10 @@
 0 means that the node will not accept any fragments.
 \-1 means that the node will accept as many fragments as it receives.
 The flag is provided basically for avoiding possible DoS attacks.
+.It Li ip6.neighborgcthresh
+Maximum number of entries in neighbor cache.
+Set to negative to disable.
+The default value is 2048.
 .It Li ip6.redirect
 If set to 1, ICMPv6 redirects may be sent by the node.
 This option is ignored unless the node is routing IP packets,
diff -r 11c0172309c6 -r 8a859bb6f336 sys/netinet6/icmp6.c
--- a/sys/netinet6/icmp6.c      Thu Jun 27 01:27:56 2013 +0000
+++ b/sys/netinet6/icmp6.c      Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: icmp6.c,v 1.159 2011/12/31 20:41:59 christos Exp $     */
+/*     $NetBSD: icmp6.c,v 1.159.6.1 2013/07/08 07:40:34 jdc Exp $      */
 /*     $KAME: icmp6.c,v 1.217 2001/06/20 15:03:29 jinmei Exp $ */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.159 2011/12/31 20:41:59 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: icmp6.c,v 1.159.6.1 2013/07/08 07:40:34 jdc Exp $");
 
 #include "opt_inet.h"
 #include "opt_ipsec.h"
@@ -2284,6 +2284,8 @@
                 * (there will be additional hops, though).
                 */
                rtcount = rt_timer_count(icmp6_redirect_timeout_q);
+               if (0 <= ip6_maxdynroutes && rtcount >= ip6_maxdynroutes)
+                       goto freeit;
                if (0 <= icmp6_redirect_hiwat && rtcount > icmp6_redirect_hiwat)
                        return;
                else if (0 <= icmp6_redirect_lowat &&
diff -r 11c0172309c6 -r 8a859bb6f336 sys/netinet6/in6.c
--- a/sys/netinet6/in6.c        Thu Jun 27 01:27:56 2013 +0000
+++ b/sys/netinet6/in6.c        Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: in6.c,v 1.159 2011/11/19 22:51:26 tls Exp $    */
+/*     $NetBSD: in6.c,v 1.159.8.1 2013/07/08 07:40:34 jdc Exp $        */
 /*     $KAME: in6.c,v 1.198 2001/07/18 09:12:38 itojun Exp $   */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.159 2011/11/19 22:51:26 tls Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6.c,v 1.159.8.1 2013/07/08 07:40:34 jdc Exp $");
 
 #include "opt_inet.h"
 #include "opt_pfil_hooks.h"
@@ -2281,6 +2281,8 @@
 
        ext->nd_ifinfo = nd6_ifattach(ifp);
        ext->scope6_id = scope6_ifattach(ifp);
+       ext->nprefixes = 0;
+       ext->ndefrouters = 0;
        return ext;
 }
 
diff -r 11c0172309c6 -r 8a859bb6f336 sys/netinet6/in6_proto.c
--- a/sys/netinet6/in6_proto.c  Thu Jun 27 01:27:56 2013 +0000
+++ b/sys/netinet6/in6_proto.c  Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: in6_proto.c,v 1.95 2011/12/31 20:41:59 christos Exp $  */
+/*     $NetBSD: in6_proto.c,v 1.95.6.1 2013/07/08 07:40:34 jdc Exp $   */
 /*     $KAME: in6_proto.c,v 1.66 2000/10/10 15:35:47 itojun Exp $      */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: in6_proto.c,v 1.95 2011/12/31 20:41:59 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: in6_proto.c,v 1.95.6.1 2013/07/08 07:40:34 jdc Exp $");
 
 #include "opt_gateway.h"
 #include "opt_inet.h"
@@ -475,6 +475,10 @@
                                 * walk list every 5 sec. */
 int    ip6_mcast_pmtu = 0;     /* enable pMTU discovery for multicast? */
 int    ip6_v6only = 1;
+int     ip6_neighborgcthresh = 2048; /* Threshold # of NDP entries for GC */
+int     ip6_maxifprefixes = 16; /* Max acceptable prefixes via RA per IF */
+int     ip6_maxifdefrouters = 16; /* Max acceptable def routers via RA */
+int     ip6_maxdynroutes = 4096; /* Max # of routes created via redirect */
 
 int    ip6_keepfaith = 0;
 time_t ip6_log_time = 0;
diff -r 11c0172309c6 -r 8a859bb6f336 sys/netinet6/in6_var.h
--- a/sys/netinet6/in6_var.h    Thu Jun 27 01:27:56 2013 +0000
+++ b/sys/netinet6/in6_var.h    Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: in6_var.h,v 1.64 2009/01/15 23:22:15 christos Exp $    */
+/*     $NetBSD: in6_var.h,v 1.64.24.1 2013/07/08 07:40:34 jdc Exp $    */
 /*     $KAME: in6_var.h,v 1.81 2002/06/08 11:16:51 itojun Exp $        */
 
 /*
@@ -94,6 +94,8 @@
        struct icmp6_ifstat *icmp6_ifstat;
        struct nd_ifinfo *nd_ifinfo;
        struct scope6_id *scope6_id;
+       int nprefixes;
+       int ndefrouters;
 };
 
 struct in6_ifaddr {
diff -r 11c0172309c6 -r 8a859bb6f336 sys/netinet6/ip6_input.c
--- a/sys/netinet6/ip6_input.c  Thu Jun 27 01:27:56 2013 +0000
+++ b/sys/netinet6/ip6_input.c  Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_input.c,v 1.136 2012/01/10 20:01:56 drochner Exp $ */
+/*     $NetBSD: ip6_input.c,v 1.136.6.1 2013/07/08 07:40:34 jdc Exp $  */
 /*     $KAME: ip6_input.c,v 1.188 2001/03/29 05:34:31 itojun Exp $     */
 
 /*
@@ -62,7 +62,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136 2012/01/10 20:01:56 drochner Exp $");
+__KERNEL_RCSID(0, "$NetBSD: ip6_input.c,v 1.136.6.1 2013/07/08 07:40:34 jdc Exp $");
 
 #include "opt_gateway.h"
 #include "opt_inet.h"
@@ -1989,6 +1989,38 @@
                        CTL_NET, PF_INET6, IPPROTO_IPV6,
                        CTL_CREATE, CTL_EOL);
 #endif
+       sysctl_createv(clog, 0, NULL, NULL,
+                      CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+                      CTLTYPE_INT, "neighborgcthresh",
+                      SYSCTL_DESCR("Maximum number of entries in neighbor"
+                        " cache"),
+                      NULL, 1, &ip6_neighborgcthresh, 0,
+                      CTL_NET, PF_INET6, IPPROTO_IPV6,
+                      CTL_CREATE, CTL_EOL);
+       sysctl_createv(clog, 0, NULL, NULL,
+                      CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+                      CTLTYPE_INT, "maxifprefixes",
+                      SYSCTL_DESCR("Maximum number of prefixes created by"
+                          " route advertisement per interface"),
+                      NULL, 1, &ip6_maxifprefixes, 0,
+                      CTL_NET, PF_INET6, IPPROTO_IPV6,
+                      CTL_CREATE, CTL_EOL);
+       sysctl_createv(clog, 0, NULL, NULL,
+                      CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+                      CTLTYPE_INT, "maxifdefrouters",
+                      SYSCTL_DESCR("Maximum number of default routers created"
+                          " by route advertisement per interface"),
+                      NULL, 1, &ip6_maxifdefrouters, 0,
+                      CTL_NET, PF_INET6, IPPROTO_IPV6,
+                      CTL_CREATE, CTL_EOL);
+       sysctl_createv(clog, 0, NULL, NULL,
+                      CTLFLAG_PERMANENT|CTLFLAG_READWRITE,
+                      CTLTYPE_INT, "maxdynroutes",
+                      SYSCTL_DESCR("Maximum number of routes created via"
+                          " redirect"),
+                      NULL, 1, &ip6_maxdynroutes, 0,
+                      CTL_NET, PF_INET6, IPPROTO_IPV6,
+                      CTL_CREATE, CTL_EOL);
 }
 
 void
diff -r 11c0172309c6 -r 8a859bb6f336 sys/netinet6/ip6_var.h
--- a/sys/netinet6/ip6_var.h    Thu Jun 27 01:27:56 2013 +0000
+++ b/sys/netinet6/ip6_var.h    Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: ip6_var.h,v 1.58 2012/01/19 13:19:34 liamjfoy Exp $    */
+/*     $NetBSD: ip6_var.h,v 1.58.6.1 2013/07/08 07:40:34 jdc Exp $     */
 /*     $KAME: ip6_var.h,v 1.33 2000/06/11 14:59:20 jinmei Exp $        */
 
 /*
@@ -272,6 +272,10 @@
                                         * walk list every 5 sec.    */
 extern int     ip6_mcast_pmtu;         /* enable pMTU discovery for multicast? */
 extern int     ip6_v6only;
+extern int     ip6_neighborgcthresh;   /* Threshold # of NDP entries for GC */
+extern int     ip6_maxifprefixes; /* Max acceptable prefixes via RA per IF */
+extern int     ip6_maxifdefrouters;    /* Max acceptable def routers via RA */
+extern int     ip6_maxdynroutes; /* Max # of routes created via redirect */
 
 extern struct socket *ip6_mrouter;     /* multicast routing daemon */
 extern int     ip6_sendredirects;      /* send IP redirects when forwarding? */
diff -r 11c0172309c6 -r 8a859bb6f336 sys/netinet6/nd6.c
--- a/sys/netinet6/nd6.c        Thu Jun 27 01:27:56 2013 +0000
+++ b/sys/netinet6/nd6.c        Mon Jul 08 07:40:34 2013 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: nd6.c,v 1.141 2012/02/03 03:32:45 christos Exp $       */
+/*     $NetBSD: nd6.c,v 1.141.6.1 2013/07/08 07:40:34 jdc Exp $        */
 /*     $KAME: nd6.c,v 1.279 2002/06/08 11:16:51 itojun Exp $   */
 
 /*
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.141 2012/02/03 03:32:45 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: nd6.c,v 1.141.6.1 2013/07/08 07:40:34 jdc Exp $");
 
 #include "opt_ipsec.h"
 
@@ -135,6 +135,17 @@
 
 MALLOC_DEFINE(M_IP6NDP, "NDP", "IPv6 Neighbour Discovery");
 
+#define LN_DEQUEUE(ln) do { \
+       (ln)->ln_next->ln_prev = (ln)->ln_prev; \
+       (ln)->ln_prev->ln_next = (ln)->ln_next; \
+       } while (/*CONSTCOND*/0)
+#define LN_INSERTHEAD(ln) do { \
+       (ln)->ln_next = llinfo_nd6.ln_next; \
+       llinfo_nd6.ln_next = (ln); \
+       (ln)->ln_prev = &llinfo_nd6; \
+       (ln)->ln_next->ln_prev = (ln); \
+       } while (/*CONSTCOND*/0)
+
 void
 nd6_init(void)
 {
@@ -476,7 +487,7 @@
                        nd6_llinfo_settimer(ln, (long)nd6_gctimer * hz);
                }
                break;
-
+       case ND6_LLINFO_PURGE:
        case ND6_LLINFO_STALE:
                /* Garbage Collection(RFC 2461 5.3) */
                if (!ND6_LLINFO_PERMANENT(ln)) {
@@ -1336,6 +1347,35 @@
                ln->ln_prev = &llinfo_nd6;
                ln->ln_next->ln_prev = ln;
 
+               /*
+                * If we have too many cache entries, initiate immediate
+                * purging for some "less recently used" entries.  Note that
+                * we cannot directly call nd6_free() here because it would
+                * cause re-entering rtable related routines triggering an LOR
+                * problem for FreeBSD.
+                */
+               if (ip6_neighborgcthresh >= 0 &&
+                   nd6_inuse >= ip6_neighborgcthresh) {
+                       int i;
+
+                       for (i = 0; i < 10 && llinfo_nd6.ln_prev != ln; i++) {



Home | Main Index | Thread Index | Old Index